Developing documents
Assign topic to the user
Answer:
You only have to develop polices and implement controls in these situations:
- There is unacceptable risks that can be treated by the control/policy
- There are legal requirements (e.g., laws, contracts, or regulations) demanding the implementation of the control/policy
- Top management has decided to implement the control/policy (normally by considering it a good practice or because the organization will have a competitive advantage with its adoption)
If none of these reasons occurs, you do not need to develop the policy / implement the control
These articles will provide you further explanation about developing policies and implementing controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27 001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Comment as guest or Sign in
Oct 23, 2018